This GDPR (General Data Protection Regulation) policy outlines the data protection practices and procedures implemented by Ashtrot LTD (“the MSP”) to ensure compliance with the GDPR and protect the personal data of our clients and their customers. This policy applies to all employees, contractors, and third-party service providers working on behalf of the MSP within the United Kingdom.
This policy applies to all personal data processed by the MSP, whether stored electronically or in hard copy format, and covers all stages of the data lifecycle, including collection, processing, storage, and destruction, as required by the GDPR.
- Personal Data: Any information relating to an identified or identifiable natural person.
- Data Controller: The natural or legal person who determines the purposes and means of the processing of personal data.
- Data Processor: The natural or legal person who processes personal data on behalf of the data controller.
Data Protection Principles
The MSP is committed to adhering to the following data protection principles, as outlined in the GDPR:
- Lawfulness, fairness, and transparency: Personal data is processed lawfully, fairly, and in a transparent manner, ensuring individuals are informed about the processing activities.
- Purpose limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
- Data minimisation: Personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy: Personal data is accurate and, where necessary, kept up to date. Reasonable steps are taken to rectify or erase inaccurate or incomplete data.
- Storage limitation: Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Integrity and confidentiality: Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage.
Data Controller and Data Processor Responsibilities
- The MSP may act as either a data controller or a data processor, depending on the specific circumstances of the processing activities. The responsibilities of the MSP are as follows:
- Data Controller: When acting as a data controller, the MSP will ensure that personal data is collected and processed in compliance with applicable data protection laws. This includes obtaining the necessary consents, providing adequate information to data subjects, and implementing appropriate security measures to protect personal data.
- Data Processor: When acting as a data processor on behalf of a client, the MSP will process personal data only as instructed by the client and take appropriate technical and organisational measures to protect the data.
- The MSP will maintain a record of processing activities that includes information about the categories of personal data processed, the purposes of processing, the recipients of the data, and any cross-border transfers, as required by the GDPR.
Data Subject Rights
The MSP recognises and respects the data subject rights provided under the GDPR, including:
- Right to be informed: Data subjects have the right to be informed about the collection and use of their personal data.
- Right of access: Data subjects have the right to access their personal data and obtain information about how it is being processed.
- Right to rectification: Data subjects have the right to request the correction of inaccurate or incomplete personal data.
- Right to erasure: Data subjects have the right to request the deletion or removal of their personal data in certain circumstances.
- Right to restrict processing: Data subjects have the right to restrict the processing of their personal data in certain circumstances.
- Right to data portability: Data subjects have the right to request the transfer of their personal data to another organization or receive it in a structured, commonly used, and machine-readable format.
- Right to object: Data subjects have the right to object to the processing of their personal data in certain circumstances.
- Right to lodge a complaint: Data subjects have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if they believe their rights have been infringed.
Data Security Measures
The MSP is committed to implementing appropriate technical and organizational measures to ensure the security of personal data and protect against unauthorized access, loss, or destruction. These measures include:
- Regular risk assessments and reviews of security controls.
- Access controls and user authentication mechanisms to limit data access to authorized personnel.
- Encryption and pseudonymization of personal data where applicable.
- Regular data backup procedures to ensure data integrity and availability.
- Ongoing staff training and awareness programs to promote data security best practices.
- Incident response and data breach management procedures to promptly address any security incidents or breaches.
International Data Transfers
If the MSP transfers personal data to countries outside the European Economic Area (EEA), appropriate safeguards will be implemented, as required by the GDPR, to ensure an adequate level of protection for the transferred data. This may include the use of EU Standard Contractual Clauses, binding corporate rules, or other approved mechanisms for international data transfers.
Data Protection Officer (DPO)
The MSP will appoint a Data Protection Officer (DPO) who will be responsible for overseeing the organization’s data protection practices, providing guidance, monitoring compliance, and serving as a point of contact for data subjects and the supervisory authority (ICO).
Policy Review and Updates
This GDPR policy will be regularly reviewed and updated to ensure ongoing compliance with the GDPR and any changes to applicable data protection laws. Employees and relevant stakeholders will be informed of any updates to this policy and associated procedures.
For any questions, concerns, or requests related to data protection and the GDPR, individuals can contact the MSP’s designated Data Protection Officer (DPO) HERE.
Date of Last Policy Review: February 2023